Merge branch 'devopsshield:main' into main

emmanuel-knafo · web-flow · commit fdbf68a03810 · 2024-05-26T23:40:01.000-04:00
diff --git a/labs/lab03.md b/labs/lab03.md
@@ -37,33 +37,30 @@ References:
 
 ## 3.2 Create new environments, variables, and secrets - advanced pipeline
 
-1. Open the workflow file [environments-secrets.yml](/.github/workflows/environments-secrets.yml)
-2. Edit the file and copy the following YAML content between the test and prod jobs (before the `use-environment-prod:` line):
-```YAML
-
-  use-environment-uat:
-    name: Use UAT environment
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-    needs: use-environment-test
-
-    environment:
-      name: UAT
-      url: 'https://uat.github.com'
-    
-    steps:
-      - name: Step that uses the UAT environment
-        run: echo "Deployment to UAT..."
-        env: 
-          env_secret: ${{ secrets.MY_ENV_SECRET }}
-
-```
-7. Inside the `use-environment-prod` job, replace `needs: use-environment-test` with:
-```YAML
-    needs: use-environment-uat
+1. Try running the advanced pipeline and you will quickly see it fail
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/f415605a-e5b8-44bd-800b-abca9a0eb68a)
+3. You can immediately remedy this by running
+```POWERSHELL
+.\Create-GitHubEnvironments.ps1 -ghOwner emmanuel-knafo `
+    -ghRepo devsecops-workshop `
+    -dockerName crs001fwmpo7kn3hnty `
+    -dockerPassword "Dgv*************************************************" `
+    -defectDojoProductId 6 `
+    -defectDojoToken "607*************************************" `
+    -githubReadOnlyPersonalAccessTokenClassic "ghp_pPK*********************************" `
+    -kubeConfigFileName "C:\Users\emmanuel.DEVOPSABCS\Downloads\wrkshp-001-student-001-config-aks-wrkshp-001-s-001"
 ```
-8. Commit the changes into the `main` branch
-9. Go to `Actions` and see the details of your running workflow
-10. Review your deployment and approve the pending UAT job
-    - [Reviewing deployments](https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments)
-11. Go to `Settings` > `Environments` and update the `PROD` environment created to protect it with approvals (same as UAT)
+3. You can grab all the parameter values from the OneDrive file you received:
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/e8e19ef5-f2c0-475c-8980-c80c56bbf176)
+4. Or you can enter each environment secret and variable manually till you get something like:
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/064215a3-a8d8-4650-950e-d2c1cd93032e)
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/b8a1ecdc-f215-4d12-bc25-500113c05f87)
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/e866fe16-7770-4f57-9942-c500121ceb10)
+6. Then run the advanced pipeline again
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/87935f10-003c-4a46-a76c-3973b17e35fa)
+7. It should end like this:
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/50900633-57f7-43c5-ae5c-7b20fa5a4ae0)
+9. You can view the deployed app here: http://gh-pygoat.cad4devops.com or find the ip in the deployment such as http://20.175.206.146 :
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/ba4b6912-f616-4da9-b2ff-2eb1ab118afa)
+10. Pygoat App is a great way to learn more about DevSecOps
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/aea2bf6e-538e-465e-821b-6518b047ce92)
diff --git a/labs/lab04.md b/labs/lab04.md
@@ -10,14 +10,26 @@ References:
 
 ## 4.1 Secret Scanning with Gitleaks
 
-1. For a workflow to be reusable, the `on` must include the `workflow_call` event
-
+1. For Gitleaks Secret Scanning, uncomment this action:
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/0894fb96-77a9-4d16-96ac-b17a20d325f6)
+1. Run the pipeline to see
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/db223fc0-ce46-422a-a564-04aa9573dc4a)
 
 ## 4.2 Software Composition Analysis with OWASP Dependency Check
 
-1. Uncommant the action
+1. Uncomment the actions ```dependency-check/Dependency-Check_Action@main```
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/69843416-215b-440f-ba3a-b5c83f393ae5)
+1. See the pipeline run
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/5a573256-dd04-4783-b91d-18e3016595da)
 
 ## 4.3 Static Application Security Test with CodeQL
 
-1. Enable
-
+1. Enable CodeQL in GitHub security settings
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/49a1f30a-7485-4454-bf38-385d19660d32)
+3. Be sure to configure the tool
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/c2f5d15e-35dc-408c-9a34-bee0a70647e7)
+4. Click Enable CodeQL
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/d21d21dd-a839-4665-8807-9836172fcc1c)
+6. After a scan, you should see some security vulnerabilities
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/7bf6aeb6-5f64-4498-ab76-a166bb86c551)
+![image](https://github.com/devopsshield/devsecops-workshop/assets/112144174/d74ea483-e82e-4dcc-aae0-6bab275487d7)
